Hey all. :)

I was wondering if someone could help me out here. I'm trying to search the process of a program for certain bytes, but I'm getting some weird results with the code I wrote. Basicly, it'll execute the @@Found code even if the bytes don't exist in the process and I can't figure out why. Heres what I have:



.elseif uMsg == WM_COMMAND
.if wParam == IDSEARCH

invoke GetDlgItemText, hWnd, IDC_PROCS, \
ADDR FileName, MAX_PATH

invoke GetStartupInfo, ADDR SINFO

invoke CreateProcess, ADDR FileName, NULL, NULL, \
FALSE, NORMAL_PRIORITY_CLASS \
OR CREATE_SUSPENDED, \
NULL, ADDR SINFO, ADDR PINFO

invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, \
PINFO.dwProcessId
mov hProcess, eax

push esi
push edi

@@Search:
invoke ReadProcessMemory, hProcess, ReadBase, \
ADDR Buffer, 1024, \
ADDR ReadBytes

xor ecx, ecx
lea esi, Buffer

@@Compare:
mov edx, dword ptr [ReadBytes]

.if edx != 0
mov eax, dword ptr [Buffer+ecx]

add ecx, 4

.if eax == 68000CC2h
jmp @@Found
.endif

.if ecx != 1024
jmp @@Compare
.else
add ReadBase, edx
jmp @@Search
.endif
.endif

@@Found:
invoke MessageBox, hWnd, ADDR FileName, NULL, MB_OK

@@Done:
pop edi
pop esi

invoke TerminateProcess, hProcess, NULL
invoke TerminateProcess, PINFO.hProcess, NULL
invoke CloseHandle, PINFO.hProcess
invoke CloseHandle, PINFO.hThread

mov ReadBase, 401000h
mov dword ptr [ReadBytes], 0
.endif


I don't know if this code is working the why I want it to, (well obviously not, but heres an explaination of what I'm trying to do :) I'm trying to read the process in 1k chunks starting at 401000 to Buffer. Then I'm searching Buffer for C20C0068. If its found, MessageBox, then cleanup. If all 1024 bytes are read without a hit, then the next chunk of the process is read and checked.

Any ideas on whats wrong?

Thanks for the read :)
bl00dbath
Posted on 2001-11-21 23:18:34 by bl00dbath
well your searching for C20C0068 maybe the first part is in one buffer and the next part is in the next.
Posted on 2001-11-22 00:55:35 by Predator
You'd have to jump over found to @@Done, otherwise it'll execute. :)
Try this:
       @@Compare:      

mov edx, dword ptr [ReadBytes]

.if edx >= 4
mov eax, dword ptr [Buffer+ecx]

add ecx, 4

.if eax == 68000CC2h
invoke MessageBox, hWnd, ADDR FileName, NULL, MB_OK
.else
.if ecx != 1024
jmp @@Compare
.else
add ReadBase, edx
jmp @@Search
.endif
.endif
.endif

@@Done:
pop edi
pop esi
Posted on 2001-11-22 01:13:46 by bitRAKE
Ok, a bit too tired to look closely at your routine right now, but
I assume you advance by "buffersize" in your search... as predator
hinted, your search might miss the searchvalue if it's located on
a cross-buffer boundary...
Posted on 2001-11-22 01:33:21 by f0dder
f0dder, all the comparisons are DWORD aligned, so I assume that is what he wants. If not, then ecx should be incremented by one, and should add a sub ReadBase,3 after the add ReadBase,edx. :)

Oh, and the initial if statement should be .if edx<4 - in any case of the matter. ;)
Posted on 2001-11-22 02:51:06 by bitRAKE
Thanks for the quick replies guys :)

Good eye bitRAKE, I didn't even notice that I didn't have a jmp to @@Done at all without going through finish.

Also, I think you're right Preddy, when I search for a dword thats right at the beginning of the process I get a hit, but if I pick one further away, it doesn't pick it up.

Maybe I should try searching 1 word at a time instead of searching by dword? This way I could check ah and al for the first byte I'm searching for, then read another word if its found and check through to see if I get a match.

Let me know your thoughts :)

Thanks,
bl00dbath
Posted on 2001-11-22 09:03:56 by bl00dbath